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application, please amend the above-identified application as 
follows : 



Page 1, in the paragraph beginning on line 1, change as follows: 



The invention relates to a method for converting a digital 
input block into a digital output block; said conversion comprising 
the step of merging a selected part Ml of the digital input block 
with a first key Kl and producing a data block Bl which non- 
linearly depends on the selected part Ml and the first key Kl, and 
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PRELIMINARY AMENDMENT 



Sir: 



IN THE SPECIFICATION 



FIELD OF THE INVENTION 



where a selected part of the digital output block is derived from 
the data block Bl. 

Page 1, in the paragraph beginning on line 6, change as follows: 

The invention further relates to an apparatus for 
cryptographically converting a digital input block into a digital 
output block; the apparatus comprising first input means for 
supplying the digital input block; second input means for supplying 
a first key Kl ; cryptographic processing means for converting the 
digital input block into the digital output block; such conversion 
comprising merging a selected part Ml of the digital input block 
with the first key Kl and producing a data block Bl which non- 
linearly depends on the selected part Ml and the first key Kl, and 
where a selected part of the digital output block is derived from 
the data block Bl; and output means for outputting the digital 
output block. 

Page 1, in the paragraph beginning on line 15, change as follows: 

BACKGROUND OF THE INVENTION 
The Data Encryption Standard (DES) of the National Bureau of 
Standard [FIPS publication 46, 1977 January 15] describes a widely 
used algorithm for converting a digital input block into a digital 
output block. Such an algorithm is generally referred to as a block 
cipher. The DES algorithm is used for encrypting (enciphering) and 
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decrypting (deciphering) binary coded information. Encrypting 
converts intelligible data, referred to as plaintext, into an 
unintelligible form, referred to as ciphertext. Decrypting the 
ciphertext converts the data back to its original form. In the so- 
called electronic code book mode, DES is used to encrypt blocks of 
64 bits of plaintext into corresponding blocks of 64 bits of 
ciphertext. In this mode, the encryption uses keys which are 
derived from a 64 bit key, of which 56 bits may be freely selected. 
Figure 1 shows the overall structure of DES during encrypting. In 
the encrypting computation, the input (64 bit plaintext) is first 
permuted using a 64 bit fixed permutation IP. The result is split 
into 32 left bits L 0 and 32 right bits R 0 . The right bits are trans- 
formed using a cipher function f(R 0 ,Ki), where K x is a sub-key. The 
result f (R 0 ,Ki) is added (bit-wise modulo 2) to the left bits, fol- 
lowed by interchanging the two resulting 32 bit blocks L 0 □ f (Ro/Ki) 
and R 0 - This procedure is continued iteratively for a total of 16 
rounds. At the end of the last round the inverse permutation of the 
initial permutation IP is applied. 

Page 3, in the paragraph beginning on line 6, change as follows: 

SUMMARY OF THE INVENTION 
It is an object of the invention to provide a cryptographic 
method and apparatus of the kind set forth which is more robust 
against cryptanalytic attacks. 
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Page 3, in the paragraph beginning on line 9, change as follows: 

To achieve this object , the cryptographic method according to 
the invention is characterised in that the step of merging the data 
and the key is performed by executing a non-linear function g for 
non-linearly merging said selected part Ml of the data and said 
first key Kl in one, sequentially inseparable step. In the DES 
system, as shown in figure 2, in a first processing step the R data 
is bit-wise added to the key, followed by a second processing step 
of non-linearly processing the result (S-boxes) . According to the 
invention, an algorithm is used which non-linearly merges data with 
a key in one step (i.e. one, sequentially inseparable step). As 
such, adding the key bits to the data is an integrated part of the 
non-linear operation, making the system more immune against modern 
attacks, such as differential cryptanalysis . 

Page 3, in the paragraph beginning on line 19, change as follows: 

In an embodiment of the method according to the invention , in 
each round both parts of the digital input block are processed, 
giving a better encryption result than for conventional Feistel 
ciphers, such as DES, where during each round only half of the 
digital input block is being processed. To ensure that the same 
system can be used for both encryption and decryption, one part of 
the data is processed using an operation g, whereas the other half 
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is processed using the inverse operation g' 1 . Using this scheme, 
decrypting is performed by using the same system but supplying the 
keys in reverse order to the rounds (during decryption the first 
non-linear step is supplied with the key which, during encryption, 
was supplied to the last non-linear step, etc ) . Compared to a 
conventional implementation of a Feistel cipher with twice as many 
rounds, the system according to the invention is faster. 

Page 3, in the paragraph beginning on line 30 , change as follows: 

The measure of splitting a relatively large data block and 
key, of for instance 64 bits, into smaller sub-blocks and sub-keys 
simplifies real-time non-linear processing. 

Page 3, in the paragraph beginning on line 33, change as follows: 

In an embodiment of the method according to the invention , a 
constant is used to enhance the quality of the encryption. Advan- 
tageously, the constant is predetermined per system, forming, for 
instance, a customer-specific constant. Alternatively, the constant 
is generated using a pseudo-random generator. 

Page 4, in the paragraph beginning on line 3, change as follows: 

The invention provides a way for non-linearly merging the data 
sub-block and the sub-key in one step. Additionally, different 
inputs all result in different outputs. This increases the immunity 
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of the system against cryptanalytic attacks, compared to DES where 
the non-linear operation reduces the 6-bit input sub-block to a 4- 
bit output sub-block, implying that the same output is produced for 
four different inputs* 

Page 4, in the paragraph beginning on line 8, change as follows: 

In an embodiment of the method according to the invention a 
constant is used to enhance the quality of the encryption. Advan- 
tageously, the constant is predetermined per system, forming, for 
instance, a customer-specific constant. Alternatively, the constant 
is generated using a pseudo-random generator. 

Page 4, please delete the entire paragraph beginning on line 12. 

Page 4, in the paragraph beginning on line 14, change as follows: 

In an embodiment of the method according to the invention 
individual sub-blocks corresponding to different parts of the 
digital input block are swapped to improve the quality of the 
encryption. 

Page 4, in the paragraph beginning on line 20, change as follows: 

Another embodiment has the advantage of reducing the 
multiplication in GF(2 8 ) to operations in GF(2 4 ), making it possible 
to achieve a simpler or more cost-effective implementation. 
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Page 4, in the paragraph beginning on line 23, change as follows: 

The multiplication in GF(2 8 ) may be reduced to operations in GF(2 4 ) . 

Page 4, in the paragraph beginning on line 28, change as follows: 

An embodiment of the method according to the invention is 
characterised in that calculating the inverse b in an element of 
GF(2 8 ) comprises performing a series of calculations in GF(2 4 ). By 
reducing the inverse operation in GF(2 8 ) to operations in GF(2 4 ) a 
simpler or more-cost effective implementation can be achieved. 

Page 5, in the paragraph beginning on line 13, change as follows: 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 shows the processing steps for the DES system, 
Figure 2 illustrates details of merging the data with the key 

and the non-linear operation in DES, 

Figure 3 illustrates details of the key calculation in DES, 
Figure 4 shows a block diagram of the cryptographic apparatus 

of the invention, 

Figure 5 illustrates separate processing of two parts of the 

digital input block, 

Figure 6 illustrates processing of a part of the digital input 

block in the form of sub-blocks, 
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Figure 7 illustrates processing of two parts in the form of 
sub-blocks, and 

Figure 8 shows an overall encryption system. 

Page 5, in the paragraph beginning on line 25, change as follows: 

DETAILED DESCRIPTION OF THE INVENTION 
Figure 4 shows a block diagram of the cryptographic apparatus 
4 00 according to the invention. For the purpose of explaining the 
invention, the system is described in the electronic code book 
mode. Persons skilled in the art will be able to use the system in 
other modes as well. The apparatus 400 comprises first input means 
410 for providing a digital input block M. The digital input block 
M may be any suitable size. Preferably, M is sufficiently large, 
for instance 128 bits, to obtain a reasonably secure encryption 
result. The apparatus 400 further comprises cryptographic process- 
ing means 420 for converting the digital input block into a digital 
output block. Advantageously, the digital output block has substan- 
tially equal length as the digital input block. The apparatus 400 
comprises output means 430 for outputting the digital output block. 
Basically, the cryptographic processing means 420 converts the 
digital input block M into the digital output block by merging a 
selected part Ml of the digital input block M with a first key Kl, 
producing a data block Bl which non-linearly depends on Ml and Kl . 
The merging is performed in one, sequentially inseparable step. The 
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digital output block is derived from Bl and the remaining part of 
M, which is not part of Ml* To obtain the first key Kl, the 
cryptographic apparatus 400 comprises second input block 440. As 
will be described in more details below, a second part M2 of the 
digital input block may be non-linearly merged with a second key 
K2, preferably, using an operation inverse to the operation for 
merging Ml and Kl, producing a data block B2. In this case, the 
digital output block also depends on B2 . To obtain the second key 
K2, the cryptographic apparatus 4 00 comprises third input block 
450. 

Page 6, in the paragraph beginning on line 22, change as follows: 

Details of the cryptographic conversion process will now be 
described for encrypting blocks of 128 bits of plaintext into 
corresponding blocks of 128 bits of ciphertext. Persons skilled in 
the art will be able to use the system for other block sizes as 
well. Data sizes shown in the Figures are given for reasons of 
clarity and should be treated as examples only. The description 
focuses on the non-linear processing of the data and the merging of 
the key with the data as performed in one round. As such the 
invention can be applied in a system as shown in Figure 1, compris- 
ing multiple rounds and also including a linear operation on the 
data block in each round. 



S : \TH\AMEND\phnl5813b_pre . doc 



9 



Page 10, in the paragraph beginning on line 19, change as follows: 

In principle, for the invention any multiplication in GF(2 8 ) 
may be used. An example of a VLSI implementation of multiplications 
in GF(2 m ) is given in [P. A. Scott, "A fast VLSI multiplier for 
GF (2 m ) " , IEEE Journal on selected areas in communications, Vol. 
SAC-4, No. 1, January 1986, pages 62-66]. Advantageously, the 
following mechanism is used to reduce the multiplication in GF(2 8 ) 
to a series of multiplications and additions in GF(2 4 ). As is known 
in the art, in finite fields with a characteristic of 2 (e.g. 
GF(2 n )) and the Galois field represented in binary arithmetic, the 
subtraction operation (i.e. the inverse of addition) is the same as 
the addition operation. For convenience, the symbol is used 

herein for this addition/subtraction operation, although a "-" 
symbol may be equivalently substituted for ease of understanding, 
as required. 

IN THE ABSTRACT 

Please cancel the present Abstract and substitute the 
rewritten Abstract attached. 
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IN THE CLAIMS 

Please cancel claims 1-20 and add new claims 21-40 as follows: 

21. (New) A program segment stored on a computer readable 
medium for cryptographically converting a digital input data block 
M into a digital output data block; said program segment 
comprising: 

a program portion for merging a selected part Ml of said 
digital input data block M with a first digital key Kl to produce a 
data block Bl which non-linearly depends on said selected part Ml 
and said first digital key Kl; and 

a program portion for deriving said digital output block from 
said data block Bl and the remaining part of the digital input data 
block M, wherein said merging step is performed by executing a non- 
linear function g for non-linearly merging said selected part Ml 
and said first key Kl in a single step. 

22. (New) A program segment as claimed in claim 21, 
comprising: 

a program portion for splitting said digital input block into 
said selected part Ml and a second part M2 before executing said 
program portion for merging; 

a program portion for executing a non-linear function g" 1 to 
merge said second block M2 with a second key K2 in one step, 
producing a data block B2 as output; said non-linear function g" 1 
being the inverse of said non-linear function g; and 

a program portion for forming combined data from data in said 
data block Bl and in said data block B2; said digital output block 
being derived from said combined data. 
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23. (New) A program segment as claimed in claim 21, wherein 
said program portion for merging comprises: 

a program portion for splitting said selected part Ml in a 
first plurality n of sub-blocks m 0 , . * ,m n -i of substantially equal 
length; 

a program portion for splitting said first key Kl in said 
first plurality n of sub-keys k 0 , ..,k n _i, substantially having equal 
length, the sub-key ki corresponding to the sub-block m i; for i = 0 
to n-1; 

a program portion for separately processing each of said sub- 
blocks mi by executing for each of said sub-blocks mi a same non- 
linear function h for non-linearly merging a sub-block bi derived 
from said sub-block mi with said corresponding sub- key ki in one, 
sequentially inseparable step and producing said first plurality of 
output sub-blocks h(bi, ki) ; and 

a program portion for combining sub-blocks t ± derived from 
said first plurality of said output sub-blocks h(b x/ k x ) to form 
said data block Bl. 

24. (New) A program segment as claimed in claim 22, wherein 
said program portion for executing said non-linear function g" 1 
comprises : 

a program portion for splitting said second part M2 in said 
first plurality n of sub-blocks m n , ..,m 2n -i/ substantially having 
equal length; 

a program portion for splitting said key K2 in said first 
plurality n of sub-keys k n , . .,k 2n -i, substantially having equal 
length, the sub-key k x corresponding to the sub-block m lf for i = n 
to 2n-l; 

a program portion for executing for each of said sub-blocks mi 
a same non-linear function h" 1 for non-linearly merging a sub-block 
bi derived from said sub-block mi with said corresponding sub-key ki 
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and producing said first plurality of an output sub-block h~ 1 (b 1 , 
ki) ; said function h" 1 being the inverse of said function h; and 

a program portion for combining sub-blocks t ± derived from 
said first plurality of output sub-blocks h" 1 (b i , kj to form said 
data block B2 . 

25. (New) A program segment as claimed in claim 23, wherein 
said sub-block b x is derived from said sub-block m x by bit-wise 
adding a constant pi to said sub-block m x , said constant pi 
substantially having equal length as said sub-block mi. 

26. (New) A program segment as claimed in claim 23, 
characterised in that said function h(bi,ki) is defined by: 
h(bi,ki) = (bi.ki)" 1 , if b 1 * 0, k L * 0, and bi * k x 

h(bi,kj - (kj" 2 , if bi - 0 

Mb^kJ = (bi)" 2 , if k x = 0 

htbi^kj = 0, if bi = k if 

where the multiplication and inverse operations are predetermined 
Galois Field multiplication and inverse operations. 

27. (New) A program segment as claimed in claim 26, wherein 
deriving said sub-blocks ti from said output sub-blocks h(bi, ki) 
comprises bit-wise adding a constant d x to said output sub-block 
h(bi,ki), said constant di substantially having equal length as said 
sub-block mi. 

28. (New) A program segment as claimed in claim 27, wherein 
deriving said sub-blocks ti from said output sub-blocks h(b x , ki) 
further comprises raising h(bi / k 1 ) © d± to a power 2 1 , using said 
predetermined Galois Field multiplication. 
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29. (New) A program segment as claimed in claim 26, wherein 
deriving said sub-blocks t x from said output sub-blocks h{b lf kj 
comprises raising said output sub-block h(bi,ki) to a power 2 1 , 
using said predetermined Galois Field (GF) multiplication. 

30. (New) A program segment as claimed in claim 24, wherein 
said combined data is formed by: 

swapping the sub-blocks t x and t 2n -i-i, for i = 0 to n-1; and 
concatenating the swapped sub-blocks. 

31. (New) A program segment as claimed in claim 26, wherein 
said sub-block m x comprises eight data bits, and wherein said 
multiplying of two elements b and c of GF(2 8 ) comprises executing a 
series of multiplications and additions in GF(2 4 ). 

32. (New) A program segment as claimed in claim 31, wherein 
said multiplying of said two elements b and c comprises: 

representing b as a 0 + ai.D and c as a 2 + a 3 .D, where a 0 , ai, a 2 
and a 3 are elements of GF(2 4 ), and where D is an element of GF(2 8 ) 
defined as a root of an irreducible polynomial k(x) = x 2 + x + |3 
over GF(2 4 ), where (5 is an element of GF(2 4 ); and 

calculating (aoa 2 + aia 3 |3) + (aia 2 + a 0 a 3 + aia 3 ) .D. 

33. (New) A program segment as claimed in claim 32, wherein (3 
is a root of an irreducible polynomial h(x) = x 4 + x 3 + x 2 + x + 1 
over GF(2) . 

34. (New) A program segment as claimed in claim 26, wherein 
said sub-block mi comprises eight data bits, and wherein 
calculating the inverse of an element b of GF(2 8 ) comprises 
performing a series of calculations in GF(2 4 ). 
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35. (New) A program segment as claimed in claim 34, wherein 
calculating the inverse of said element b comprises: 

representing b as a 0 + a x .D, where a 0 and ai are elements of 
GF(2 4 ), and where D is an element of GF(2 8 ) defined as a root of an 
irreducible polynomial k(x) = x 2 + x + p over GF(2 4 ), where p is an 
element of GF(2 4 ); and 

calculating (a 0 2 + a 0 ai + ai 2 p) _1 ((a 0 + aj + a x D) . 

36. (New) A processor for cryptographically converting a 
digital input block into a digital output block; said processor 
comprising: 

a first input for obtaining said digital input block; 
a second input for obtaining a first key Kl; and 
a cryptographic processing portion arranged to convert the 
digital input block into the digital output block by executing a 
non-linear function g for non-linearly merging said selected part 
Ml and said first key Kl in one step and producing a data block Bl 
which non-linearly depends on said selected part Ml and said first 
key Kl, where a selected part of said digital output block is 
derived from said data block Bl. 

37. (New) A processor as claimed in claim 36, wherein said 
processor comprises a third input for obtaining a second key K2, 
and wherein said processor is arranged to: 

split said digital input block into said selected part Ml and 
a second part M2 before performing said merging; 

perform a non-linear function g" 1 to merge said second block M2 
with said second key K2 in one step, producing a data block B2 as 
output; said non-linear function g" 1 being the inverse of said non- 
linear function g; and 
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combine data from data in said data block Bl and in said data 
block B2; said digital output block being derived from said 
combined data. 

38. (New) A processor as claimed in claim 36, wherein said 
merging comprises: 

splitting said selected part Ml in a first plurality n of sub- 
blocks m 0 , ..,m n -i of substantially equal length; 

splitting said first key Kl in said first plurality n of sub- 
keys ko, ../k n -i, substantially having equal length, the sub-key k x 
corresponding to the sub-block mi, for i = 0 to n-1; and 

separately processing each of said sub-blocks mi by executing 
for each of said sub-blocks m x a same non-linear function h for 
non-linearly merging a sub-block bi derived from said sub-block m x 
with said corresponding sub-key k L in one, sequentially inseparable 
step and producing said first plurality of output sub-blocks h(b 1A 
ki) ; and 

combining sub-blocks ti derived from said first plurality of 
said output sub-blocks h{h lf ki) to form said data block Bl. 

39. (New) A processor as claimed in claim 38, wherein said 
function h(bi,ki) is defined by: 

h(b x ,ki) = (bx.ki)" 1 , if h x * 0, k± * 0, and b ± * k ± 

h(b 1 ,k i ) = (kj~ 2 , if bi = 0 

h(bi,ki) = (bj" 2 , if ki - 0 

h(bi,ki) = 0, if ^ = k i7 

where the multiplication and inverse operations are predetermined 
Galois Field multiplication and inverse operations. 

40. (New) A processor as claimed in claim 19, wherein said 
sub-block mi comprises eight data bits, and wherein said 
multiplying of two elements b and c of GF(2 8 ) comprises: 
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representing b as a 0 + a x .D and c as a 2 + a 3 .D, where a 0/ a x , a 2 
and a 3 are elements of GF(2 4 ), and where D is an element of GF(2 8 ) 
defined as a root of an irreducible polynomial k(x) = x 2 + x + (5 
over GF(2 4 ), where p is an element of GF(2 4 ); and 

calculating (a 0 a 2 + aia 3 P) + (aia 2 + a 0 a 3 + aia 3 ) .D; 
and wherein calculating the inverse of an element b of GF(2 8 ) com- 
prises calculating (a 0 2 + a 0 ai + ai 2 p) _1 ((a 0 + a x ) + aiD) . 
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REMARKS 

This Amendment is being filed to continue prosecution of 
Claims cancelled without prejudice in a priority application and in 
response to the Advisory Action mailed March 20, 2001 and the Final 
Office Action mailed September 12, 2000. Reconsideration and 
allowance of the application in view of the amendments made above 
and the remarks to follow are respectfully requested. 

Claims 21-40 are pending in this application of which Claims 
21 and 3 6 are independent claims. 

In the outstanding rej ection, the claims were re j ected under 
35 U.S.C. §103 (a) as being unpatentable over U.S. Patent No. 
5,488,661 to Matsui ("Matsui") in view of U.S. Patent No. 5,398,284 
to Koopman ( "Koopman" ) . 

The Applicant specifically claims a program (claim 21) and 
processor (claim 36), wherein the merging step is performed by 
executing a non-linear function for non-linearly merging a select 
part of the plaintext with a first key in a single step. The 
Applicant maintains that both Matsui and Koopman present a linear 
merging, and Koopman presents a multi-step process that augments 
the linear merging with a non-linear operation. 

The Office Action asserts that Matsui and Koopman present a 
non-linear process. The Applicant has repeatedly and continuously 
maintained that the difference between Applicant's claimed 
invention and Matsui and Koopman is the fact that the Applicant 
teaches and claims the merging of a select part of the plaintext 
data with the key in a single non-linear step. 

An "Introduction to Switching Theory and Logical Design", by 
Hill and Peterson, published 1968, presents a definition of a 
linear function in the context of a switching system as would be 
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readily understood by a person of ordinary skill in the art, 
following on page 420, it states that: 

"A linear switching function is a switching 
function, which may be realized using only AND 
gates and exclusive-or gates." 

The above is true because in a switching system (i.e. a two- 
value, 0-1, system, which is conventionally termed a "digital" 
system) , the "addition" function corresponds to an exclusive-or 
function, and the "multiplication" function corresponds to an AND 
function. 

The DES algorithm, Matsui (item 12 in Matsui's FIG. 1), and 
Koopman (items 12 and 14 in FIG. 1) each use an exclusive-or 
function to merge the plaintext data with the key. That is, DES , 
Matsui, and Koopman each use a linear function to merge the 
plaintext data with the key. 

In "Applied Cryptography", by Schneier, published in 1996, 
Schneier notes this linear-then-nonlinear sequential process in 
DES: 

"The S-box substitution is the critical step in 
DES. The algorithm's other steps are linear and 
easy to analyze. The S-boxes are nonlinear and, 
more than anything else, give DES its security." 

In DES, the "other steps" include the merging of the select part of 
the plaintext with the key, via an exclusive-or function. 

Matsui specifically illustrates that a select portion of the 
plaintext data 3 is merged with the output of the "f" block 9 via 
an exclusive-or gate 12. By definition, this is a linear operation. 

In the Office Action of 16 September 1999, an argument is 
presented for demonstrating that Matsui T s process is non-linear. 
The Applicant respectfully notes that the presentation is flawed. 
Following the presented argument, any and all two-input functions 
are non-linear. That is, the Argument uses an undefined function 
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"L" in the "proof" , and goes on to demonstrate that, regardless of 
the particular function "L", "L(P1 + P2) = L(P1) + L(P2) + 2M" . 
That is, even if the function "L" is linear, such as a simple 
addition function, the derivation mistakenly leads to a result that 
a simple addition function is non-linear, which clearly is not 
true. Further, this error is readily apparent to any person 
skilled in the art. 

Koopman uses a bitwise shifting and exclusive-or operation 
that "can be viewed as a multiplication operation between the 
register and mask in the Galois Field GF(2 n ). This operation is, in 
effect, a convolution operation" (Koopman, column 4, lines 43-47) . 
To add a non-linearity to this linear (multiplication) process, 
Koopman halts the convolution after a 'secret 7 number of 
multiplications, and a nonlinear (without carry) Integer Ring 
operation is performed (Koopman, column 4, lines 51-58, and column 
5, lines 35-40) . 

The Applicant respectfully maintains that both Matsui and 
Koopman teach a linear merging of the select part of the plaintext 
with the key. The Applicant further maintains that neither Matsui, 
nor Koopman, individually or collectively, teach or suggest merging 
a select part of the plaintext with a key via a single-step non- 
linear function, as specifically required by each of the currently 
pending claims. Accordingly, the Applicant respectfully request 
that claims 21-40 be allowed. 

Early and favorable action is earnestly solicited. 

Respectfully submitted, 




Gregory L. Thorne, Reg. 39,398 
Senior Patent Counsel 
(914) 333-9665 
August 8, 2001 
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APPENDIX 



AMENDED SPECIFICATION 

Page 1, in the paragraph beginning on line 1, change as follows: 

FIELD OF THE INVENTION 
The invention relates to a method for converting a digital 
input block into a digital output block; said conversion comprising 

the step of merging a selected part Ml of s-a-i-d- the digital input 

block with a first key Kl and producing a data block Bl which non- 
linearly depends on «aidr-the selected part Ml and said the first 
key Kl, and where a selected part of -sai^- the digital output block 
is derived from said the data block Bl. 

Page 1, in the paragraph beginning on line 6, change as follows: 

The invention further relates to an apparatus for 
cryptographically converting a digital input block into a digital 
output block; sa-M-the apparatus comprising first input means for 

eb-t"a-in-iiig---s-a-i^ supplying the digital input block; second input 

means for obtaining for supplying a first key Kl; cryptographic 

processing means for converting the digital input block into the 
digital output block; -sa--ld-- such conversion comprising merging a 
selected part Ml of said the digital input block with said the 
first key Kl and producing a data block Bl which non-linearly 
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depends on seid-the_s elected part Ml and paid the first key Kl, and 

where a selected part of -said-the digital output block is derived 

from 5-a-i-d-- the data block Bl; and output means for outputting said 
the digital output block. 

Page 1, in the paragraph beginning on line 15, change as follows: 

BACKGROUND OF THE INVENTION 
The Data Encryption Standard (DES) of the National Bureau of 
Standard [FIPS publication 46, 1977 January 15] describes a widely 
used algorithm for converting a digital input block into a digital 
output block. Such an algorithm is generally referred to as a block 
cipher. The DES algorithm is used for encrypting (enciphering) and 
decrypting (deciphering) binary coded information. Encrypting 
converts intelligible data, referred to as plaintext, into an 
unintelligible form, referred to as ciphertext. Decrypting the 
ciphertext converts the data back to its original form. In the so- 
called electronic code book mode, DES is used to encrypt blocks of 
64 bits of plaintext into corresponding blocks of 64 bits of 
ciphertext. In this mode, the encryption uses keys which are 
derived from a 64 bit key, of which 56 bits may be freely selected. 
Figure 1 shows the overall structure of DES during encrypting. In 
the encrypting computation, the input (64 bit plaintext) is first 
permuted from 61 bite into 64 bits using a 64 bit fixed permutation 
IP. The result is split into 32 left bits L 0 and 32 right bits R 0 . 
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The right bits are transformed using a cipher function f(R 0 ,Ki), 
where K x is a sub-key. The result f (R 0 ,Ki) is added (bit-wise modulo 
2) to the left bits, followed by interchanging the two resulting 32 
bit blocks L 0 □ f(R 0 ,Ki) and R 0 . This procedure is continued 
iteratively for a total of 16 rounds. At the end of the last round 
the inverse permutation of the initial permutation IP is applied. 

Page 3, in the paragraph beginning on line 6, change as follows: 

SUMMARY OF THE INVENTION 
It is an object of the invention to provide a cryptographic 
method and apparatus of the kind set forth which is more robust 
against cryptanalytic attacks. 

Page 3, in the paragraph beginning on line 9, change as follows: 

To achieve this object, the cryptographic method according to 
the invention is characterised in that said merging the step of 
^£2i£9„^ performed by executing a non-linear 

function g for non-linearly merging said selected part Ml of the 
data and said first key Kl in one, sequentially inseparable step. 
In the DES system, as shown in figure 2, in a first processing step 
the R data is bit-wise added to the key, followed by a second 
processing step of non-linearly processing the result (S-boxes) . 
According to the invention, an algorithm is used which non-linearly 
merges data with a key in one step (i.e. one, sequentially insep- 
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arable step) . As such, adding the key bits to the data is an 
integrated part of the non-linear operation, making the system more 
immune against modern attacks, such as differential cryptanalysis . 

Page 3, in the paragraph beginning on line 19, change as follows: 

In an embodiment of the method according to the invention a-s 
defined in the dependent claim 2 , in each round both parts of the 
digital input block are processed, giving a better encryption 
result than for conventional Feistel ciphers, such as DES, where 
during each round only half of the digital input block is being 
processed. To ensure that the same system can be used for both 
encryption and decryption, one part of the data is processed using 
an operation g, whereas the other half is processed using the 
inverse operation g" 1 . Using this scheme, decrypting is performed by 
using the same system but supplying the keys in reverse order to 
the rounds (during decryption the first non-linear step is supplied 
with the key which, during encryption, was supplied to the last 
non-linear step, etc ) . Compared to a conventional implementation 
of a Feistel cipher with twice as many rounds, the system according 
to the invention is faster. 

Page 3, in the paragraph beginning on line 30, change as follows: 

The measure €ts — defined in the — dependent — claim 3, — wherein of 
.?PlA5.y.5 L .2... a relatively large data block and key, of for instance 64 
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bits, £H?e — split — into smaller sub-blocks and sub-keys simplifies 
real-time non-linear processing* 

Page 3, in the paragraph beginning on line 33, change as follows: 

In an embodiment of the method according to the invention ets 
de#i-ae4----in--^ a constant is used to enhance the 

quality of the encryption. Advantageously, the constant is 
predetermined per system, forming, for instance, a customer- 
specific constant . Alternatively, the constant is generated using a 
pseudo-random generator. 

Page 4, in the paragraph beginning on line 3, change as follows: 

The measure defined in dependent claim 6 invention provides a 
way for non-linearly merging the data sub-block and the sub-key in 
one step. Additionally, different inputs all result in different 
outputs. This increases the immunity of the system against 
cryptanalytic attacks, compared to DES where the non-linear 
operation reduces the 6-bit input sub-block to a 4-bit output sub- 
block, implying that the same output is produced for four different 
inputs . 

Page 4, in the paragraph beginning on line 8, change as follows: 

In an embodiment of the method according to the invention ars- 
de-f4-n-ed"-4-n""the----dependen%""eia-im-""7-""a constant is used to enhance the 
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quality of the encryption. Advantageously, the constant is 
predetermined per system, forming, for instance, a customer- 
specific constant* Alternatively, the constant is generated using a 
pseudo-random generator • 

Page 4, delete the entire paragraph beginning on line 12. 

Page 4, in the paragraph beginning on line 14, change as follows: 

In an embodiment of the method according to the invention a-s 
define d in the depend e nt — claim 10 individual sub-blocks correspon- 
ding to different parts of the digital input block are swapped to 
improve the quality of the encryption. 

Page 4, in the paragraph beginning on line 20, change as follows: 

-T-h-e -me-a-s-u-re a-s- de-f -i-ned -i-n- the dependent- el-aim 1-1- An other 

embodiment has the advantage of reducing the multiplication in 
GF(2 8 ) to operations in GF(2 4 ), making it possible to achieve a 
simpler or more cost-effective implementation. 

Page 4, in the paragraph beginning on line 23, change as follows: 

-T-h-e -m-e-as-u-re de-f-i-ned- i-n -the dependent- el-aim -1--2 gives a-n 

e-f-f - e-e -ti-v-e wa-y ei r-ed-ue-i-n-g -t-h-e The mu ltiplication in GF(2 8 ) may be 

reduced to operations in GF(2 4 ). 
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Page 4, in the paragraph beginning on line 28, change as follows: 

An embodiment of the method according to the invention is 
characterised in that calculating the inverse e-f~~ b in an element of 
GF(2 8 ) comprises performing a series of calculations in GF(2 4 ). By 
reducing the inverse operation in GF(2 8 ) to operations in GF(2 4 ) a 
simpler or more-cost effective implementation can be achieved. 

Page 5, in the paragraph beginning on line 13, change as follows: 

BRIEF DESCRIPTION OF THE DRAWINGS 
Figure 1 shows the processing steps for the DES system, 
Figure 2 illustrates details of merging the data with the key 

and the non-linear operation in DES, 

Figure 3 illustrates details of the key calculation in DES, 
Figure 4 shows a block diagram of the cryptographic apparatus 

of the invention, 

Figure 5 illustrates separate processing of two parts of the 
digital input block, 

Figure 6 illustrates processing of a part of the digital input 
block in the form of sub-blocks, 

Figure 7 illustrates processing of two parts in the form of 
sub-blocks, and 

Figure 8 shows an overall encryption system. 
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Page 5, in the paragraph beginning on line 25, change as follows: 

DETAILED DESCRIPTION OF THE_I_W^ 
Figure 4 shows a block diagram of the cryptographic apparatus 
400 according to the invention* For the purpose of explaining the 
invention, the system is described in the electronic code book 
mode. Persons skilled in the art will be able to use the system in 
other modes as well. The apparatus 400 comprises first input means 
410 for obtaining p r o vi ding _ a digital input block M. The digital 
input block M may be any suitable size. Preferably, M is suffi- 
ciently large, for instance 128 bits, to obtain a reasonably secure 
encryption result. The apparatus 400 further comprises 
cryptographic processing means 420 for converting the digital input 
block into a digital output block. Advantageously, the digital 
output block has substantially equal length as the digital input 
block. The apparatus 400 comprises output means 430 for outputting 
the digital output block. Basically, the cryptographic processing 
means 420 converts the digital input block M into the digital 
output block by merging a selected part Ml of the digital input 
block M with a first key Kl, producing a data block Bl which non- 
linearly depends on Ml and Kl . The merging is performed in one, 
sequentially inseparable step. The digital output block is derived 
from Bl and the remaining part of M, which is not part of Ml. To 
obtain the first key Kl, the cryptographic apparatus 400 comprises 
second input m-e-an-s-block 440. As will be described in more details 
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below, a second part M2 of the digital input block may be non- 
linearly merged with a second key K2, preferably, using an 
operation inverse to the operation for merging Ml and Kl, producing 
a data block B2 . In this case, the digital output block also 
depends on B2. To obtain the second key K2, the cryptographic 
apparatus 400 comprises third input me-ans- b lock 4 5 0 . 

Page 6, in the paragraph beginning on line 22, change as follows: 

-I-n- -the remainder- e-f- the deeume-R-t- d-e-t-a-i-l-s- - Details of the 

cryptographic conversion £tre — given process will now be described 
for encrypting blocks of 128 bits of plaintext into corresponding 
blocks of 128 bits of ciphertext. Persons skilled in the art will 
be able to use the system for other block sizes as well. Data sizes 
shown in the Figures are given for reasons of clarity and should be 
treated as examples only. The description focuses on the non-linear 
processing of the data and the merging of the key with the data as 
performed in one round. As such the invention can be applied in a 
system as shown in Figure 1, comprising multiple rounds and also 
including a linear operation on the data block in each round. 

Page 10, in the paragraph beginning on line 19, change as follows: 

In principle, for the invention any multiplication in GF(2 8 ) 
may be used. An example of a VLSI implementation of multiplications 
in GF(2 m ) is given in [P. A. Scott, "A fast VLSI multiplier for 
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GF(2 m )", IEEE Journal on selected areas in communications, Vol. 
SAC-4, No. 1, January 1986, pages 62-66] . Advantageously, the 
following mechanism is used to reduce the multiplication in GF(2 8 ) 
to a series of multiplications and additions in GF(2 4 ) . As is known 
in the art, in finite fields with a characteristic of 2 (e.g. 
GF(2 n )) and the Galois field represented in binary arithmetic, the 
subtraction operation (i.e. the inver se of addition) is the same as 

the addition operation. For convenience, the " + " symbol is used 

herein for this addition/subtraction operation, although a 
symbol may be equivalently substituted for ease of understanding, 
as required. 
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ABSTRACT OF THE DISCLOSURE 
A method and apparatus for cryptographically converting a 
digital input data block into a digital output data block. The 
apparatus has an input for supplying the input data block and a 
further input for supplying a code conversion digital key Kl. 
Cryptographic processing merges a selected part Ml of the digital 
input data block with the key Kl to produce a data block Bl that is 
non-linearly dependent on Ml and Kl. The merging is performed in 
one sequentially inseparable step. The digital output block is 
derived from a selected part of the data block Bl . 
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